Sign up to our newsletter
The latest security news direct to your inbox
Internet privacy is something consumers are increasingly aware of, but which is near-impossible to achieve. You are never truly invisible on the internet – just witness how quickly the Blackphone, made by encryption legends Silent Circle met its match at DEF CON.
But while the free internet relies on “watching you” to sell ads, and others watch you just because they like it, there are a few steps sensible internet users should take for those moments when a little internet privacy IS required.
But when it comes to things you might want to keep private – business conversations that would be of interest to a rival, hobbies such as motorcycling that might be of interest to an insurer, a few basic steps can help.
If you ARE James Bond, no security tip in the world will stop your enemies watching you – that’s their job. For most of us – from college students to small businesses to people afraid of one particular watcher, such as domestic violence survivors – some basic steps will help you stay private.
Tinfoil hats are not required. Nor is switching to a “private” browser such as Tor – although privacy-conscious users may find it surprisingly fast these days.
There are good reasons to revisit the internet privacy menus on your Facebook account - and it’s highly unwise to post anything to the network that is in any way sensitive. Facebook is not content with the trove of data provided by its own users – it deals with third-party “data broker” companies, who provide the company with encrypted lists of email addresses (for instance, of users who have bought a vacuum cleaner), which Facebook then matches against its own encrypted list. This means the company may ‘know’ more than you think it does. The only defense is to be cautious with data both inside and outside Facebook.
There are other good reasons behind people’s distrust of Facebook, and to ensure your account is locked up as much as possible. This year, the social site added hidden tracking in its ubiquitous ‘Like’ button to track users outside of Facebook pages. The new tracking method actually ignores users’ Do Not Track preference settings (the browser setting where users can choose “ask websites to not track me”). Staying logged out as much as possible is a good idea to increase your internet privacy.
Google is a major player in collecting data – every Google service from YouTube to Search collects information on signed-in users, and collates it to refer to one user profile. This is used to tailor Google ‘adwords’ – the text adverts that appear around searches and above Gmail’s Inbox – to the user. Google, however, is very open about how it all works, and you can opt out of almost everything, even if you’re a heavy user. If you do so, the only service you’ll really be unable to use is the excellent Google Now on Android, which relies heavily on search history and location history. It poses its own privacy risks, of course, if anyone looks over your shoulder…
Google itself offers a clear explanation of how its data collection works - and provides a dashboard of tools web users may wish to use to prevent themselves being tracked. For Google, personalized adverts are a service, and one you can choose not to use. Facebook’s approach is more opaque. Facebook said that it would also ignore “do not track” signals sent by browsers – a measure put in place to offer users choice on privacy – because “because currently there is no industry consensus.”
Sharing information too openly online is a bad idea – leaving you open to spear phishing attacks. But data also falls into the hands of companies which trade in it – billions of data points at once, sold to advertisers and other companies. Most of these are perfectly normal companies. Some are not. The Federal Trade Commission is investigating ‘data brokers’. The industry is thus far largely unregulated, and brokers will offer anything from anonymous data gleaned from browsing, to a mix of data, some publicly available, some from website cookies and other tracking tools. You are significantly more likely to be identifiable from your data if you share things publicly – even the fact you own a dog, or your address, or if you geolocate pictures. Take control of this data. Don’t share when you don’t have to.
Social networks are a prime example, but “overfilling” a profile on a blog or corporate site can also reveal details. If there’s ever a box about sharing data with other companies, make sure you tick (or don’t tick) so your data isn’t shared. Whatever happens to it, it isn’t going away. Some, not all data brokers categorise customers in a way which may impact future eligibility for financial products – categorising them as uneducated, or putting them in a category of older people, or instance. This is information you should not share publicly, as it may impact your financial future.
Many companies ignore a browser’s request not to be tracked – including high profile firms such as Facebook. The only fix is to use Incognito or Private browsing, and not log in to Facebook as you browse.
You will still be followed by trackers (cookies and scripts embedded in most websites) as you browse, but the profile that’s built up applies to a user who disappears when the session ends. You are still, of course, not truly ‘private’ – your IP address can still be traced as having visited a particular website, but it helps. Setting your browser to delete cookies on closing also helps in this regard – but it’s not a silver bullet.
Don’t imagine smartphones are any different from PCs – you will be tracked on your browser, just as you are on PC, and there are other security concerns, too. But one step is easy to take. Many apps allow users to log in using their Facebook details, which spares user the time of filling in a form.
However, this allows the social network to use information from the app, and apply this to its advertising profile to target adverts. Any information in the app becomes available to Facebook. If you’re worried about how much Facebook ‘knows’ about you, use email to log in instead.
If you are determined not to be watched, Tails is a high-end internet privacy tool – although it should be noted that it is not “spy proof”. It boots from a DVD or USB stick, and forces internet traffic through the anonymizing service Tor (all non-Tor connections are rejected). Tor is of course not immune from spying - but it’s as secure as it gets, most of the time.
When you’ve finished, Tails deletes all data from the session (it’s stored in RAM rather than in computer storage). It can be used on any computer, and leaves no trace once the session ends. You are, of course, still vulnerable to some techniques – for instance, electronic listening devices could pick up your keystrokes.
If you are using the internet for sensitive business reasons, use VPN software. Either provided by your company, or if you’re a small business or freelancer, use your own VPN client. Likewise, ensure you encrypt as much as you can – from emails to data stored on your PC. ESET researcher Stephen Cobb argues that encryption is now essential for business - and with the rate of data breaches seen over the past few months it’s hard to argue. Malware researcher Lysa Myers says,”The best way to protect your data from prying eyes is to make more of it unreadable to outside parties. And the best way to do this is to encrypt as much as you can both data that is saved on your hard disk, and data that you send out of your machine, via email, web or other methods.”
No matter how paranoid you are, how security-conscious you are, there is always a way round your snoop-proof techniques. Unscrupulous and greedy people will find it. If you want something to stay private, don’t do it online, or on the phone. Do it in the real world. As more consumers use internet privacy tools, new unknown techniques appear to bypass them. ‘Canvas fingerprinting’ is a new technique, invisible to users, which became widespread among companies selling data to advertisers before the media were even aware of it. Requiring PCs to render a fragment of text, it bypasses “do not track” instructions to create a fingerprint which “shatters” current privacy tools, Princeton researchers say. One provider which uses the ‘fingerprinting’ technique, touted as a replacement for cookies for advertisers keen to track users across the web, uses its scripts in thousands of sites – and reaches 97.2% of the internet population in America, according to Comscore.
Author Rob Waugh, We Live Security